I have read about a vulnerability that allows to lock any IDE/SATA hard drive with a password, unless the BIOS "freezes" the drive's (no-password) status.
Even though less secure, this protection can also be archieved by software (only few BIOSes have that feature). hdparm offers a "security-freeze" parameter for this.
So, I wanted to add a call to hdparm with the respective parameter to my runlevels. I did so by running "update-rc.d hdparm defaults" and editing /etc/hdparm.conf (removing the '#' in front of the line with the parameter and setting "ROOTFS" to /dev/hda).
Unfortunately, running "hdparm -I /dev/hda" still shows "not frozen", meaning that the protection has not been applied.
Could anybody give me a hint what I'm doing wrong?
Thank you,
Gunther
I'm sorry, I wasn't very accurate.
I have restarted my system; without any effect.
Now, here comes the strange thing...
Running "sudo /etc/init.d/hdparm restart" gives me
. The status remains "not frozen".
However, issuing a "sudo hdparm --security-freeze /dev/hda" gets the job done, reporting "issuing Security Freeze command". The status has been successfully changed.
It's like hdparm doesn't care about its config file...
Btw, I'm running Debian with a 2.6.26-2 kernel, hdparm's version number is 8.9-3.
I see nothing in 'man hdparm' about how it uses the config file. I'm not positive it does, that may be wholly up to the system init script.
hdparm's not a persistent process anyway, so I'm not sure why they decided it belonged in a daemon. I'd just put that line of yours in /etc/local.start or whatever your equivalent is instead of trying to use the system service. (You probably wouldn't need the 'sudo' if you put it there.)